[gentoo-server] Disable ARP

[gentoo-server] Disable ARP

[Jeff Rooney]

[-- Attachment #1: Type: text/plain, Size: 1195 bytes --]

Hi everyone,

I am trying to setup some virtual IP's on a couple of servers and keep 
running into trouble with ARP responses. What I need to do is apply an 
ip alias to the loopback interface and disable arp responses on this 
interface. I have done this a couple of different ways but with the same 
result...doesn't work =/

here is what I have done:
# ifconfig lo:1 10.10.10.116 netmask 255.255.255.255
# ifconfig lo:1 -arp

When that didn;t work I tried the iproute2 path and did:
# ip link set lo:1 arp off
# ifconfig lo:1
lo:1      Link encap:Local Loopback
          inet addr:10.1.10.116  Mask:255.255.255.255
          UP LOOPBACK RUNNING NOARP  MTU:16436  Metric:1

Everything appears to be set right, but it is still responding to arp 
requests:
# tcpdump -n | grep arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
21:25:18.686611 arp who-has 10.1.10.116 tell 10.1.10.29
21:25:18.686647 arp reply 10.1.10.116 is-at 00:02:b3:e9:41:3f


This really can't be that difficult of a task, but I have to be doing 
something wrong here. Any suggestions would be greatly appreciated.
--
Jeff


[-- Attachment #2: Type: text/html, Size: 1620 bytes --]

Re: [gentoo-server] Disable ARP

[Alex Efros]

Hi!

On Mon, Oct 15, 2007 at 04:13:01PM -0500, Jeff Rooney wrote:
> # ifconfig lo:1 10.10.10.116 netmask 255.255.255.255
> # ifconfig lo:1 -arp
> # ip link set lo:1 arp off
> # ifconfig lo:1
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

I've no idea about disabling arp, but you try to configure loopback and
then listen on eth0... :)

-- 
			WBR, Alex.
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Disable ARP

[Jeff Rooney]

[-- Attachment #1: Type: text/plain, Size: 658 bytes --]

Yes I am trying to configure an IP alias on the loopback interface that 
I do not want to broadcast arp responses for. By listening on eth0 it 
shows that the NOARP flag is being ignored and that the loopback is 
responding to arp requests.

Alex Efros wrote:
> Hi!
>
> On Mon, Oct 15, 2007 at 04:13:01PM -0500, Jeff Rooney wrote:
>   
>> # ifconfig lo:1 10.10.10.116 netmask 255.255.255.255
>> # ifconfig lo:1 -arp
>> # ip link set lo:1 arp off
>> # ifconfig lo:1
>> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>>     
>
> I've no idea about disabling arp, but you try to configure loopback and
> then listen on eth0... :)
>
>   


[-- Attachment #2: Type: text/html, Size: 1049 bytes --]

Re: [gentoo-server] Disable ARP

[RijilV]

[-- Attachment #1: Type: text/plain, Size: 754 bytes --]

Agreed, if you configure the IP on the loopback interface then add the
following sysctl options it'll probably work how you want it to:

net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

.r'


On 10/15/07, Alex Efros <powerman@powerman.asdfgroup.com> wrote:
>
> Hi!
>
> On Mon, Oct 15, 2007 at 04:13:01PM -0500, Jeff Rooney wrote:
> > # ifconfig lo:1 10.10.10.116 netmask 255.255.255.255
> > # ifconfig lo:1 -arp
> > # ip link set lo:1 arp off
> > # ifconfig lo:1
> > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>
> I've no idea about disabling arp, but you try to configure loopback and
> then listen on eth0... :)
>
> --
>                         WBR, Alex.
> --
> gentoo-server@gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 1344 bytes --]

Re: [gentoo-server] Disable ARP

[Ramon van Alteren]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeff Rooney wrote:
> This really can't be that difficult of a task, but I have to be doing
> something wrong here. Any suggestions would be greatly appreciated.

preup() {
        /sbin/ifconfig dummy0 -arp;
        return 0
        }

config_dummy0=( "ipaddress" )

Works for us, need the dummy module / kernel option of course.
Any reason you specifically need an lo interface or are you perhaps just
following old loadbalancer instructions ?

regards,

Ramon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFHE9xrwiVM6CtDHQ0RAsc/AJ0Q9H8Use6S4JbeB3gHM0S6sH6r9gCfdWfg
Uy7DbJFxayhjC95Kmaj6Uyc=
=9O9I
-----END PGP SIGNATURE-----
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Disable ARP

[Jeff Rooney]

[-- Attachment #1: Type: text/plain, Size: 1072 bytes --]

Both methods appear to work as I hoped. 

Ramon: you where exactly right, I was following some documentation sent 
over with some load balancers that I am experimenting with. Unfortunatly 
their tech staff didn't have any real options for us other than blocking 
the arp responses via ebtables. Not sure why I didn't think about using 
the dummy interface instead of the loopback...guess its just been that 
sort of day for me =)

Thanks again for your help Ramon and RijilV.

--
Jeff

Ramon van Alteren wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jeff Rooney wrote:
>   
>> This really can't be that difficult of a task, but I have to be doing
>> something wrong here. Any suggestions would be greatly appreciated.
>>     
>
> preup() {
>         /sbin/ifconfig dummy0 -arp;
>         return 0
>         }
>
> config_dummy0=( "ipaddress" )
>
> Works for us, need the dummy module / kernel option of course.
> Any reason you specifically need an lo interface or are you perhaps just
> following old loadbalancer instructions ?
>
> regards,
>
> Ramon
>   

[-- Attachment #2: Type: text/html, Size: 1526 bytes --]

Re: [gentoo-server] Disable ARP

[Ramon van Alteren]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeff Rooney wrote:
> Both methods appear to work as I hoped.

Good.

> Ramon: you where exactly right, I was following some documentation sent
> over with some load balancers that I am experimenting with. Unfortunatly
> their tech staff didn't have any real options for us other than blocking
> the arp responses via ebtables. 

Mmmm interesting tech support, out of curiosity what loadbalancers are
you using ?

> Not sure why I didn't think about using
> the dummy interface instead of the loopback...guess its just been that
> sort of day for me =)

I have them too (those days), trying to ram the square block through the
round hole.... In some cases it even works :-)

> Thanks again for your help Ramon and RijilV.

You're welcome.
Word of warning: If you lose the noarp option on one of the real-servers
you will see very weird erratic behaviour which can be hard to debug.
Depending on the load you push through the loadbalancer the realserver
which sends an arp will die immediately or slowly whilst generating
weird bugs in your app.

Best way to check: login with ssh on the vip

Ramon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFHFHbrwiVM6CtDHQ0RAsRxAJ9sgT8zgOpXHh5h5axm4qg+IQwYkgCffP74
sebxQ45SkGvDAm+2SSb4ONU=
=khYz
-----END PGP SIGNATURE-----
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] Disable ARP

[Jeff Rooney]

[-- Attachment #1: Type: text/plain, Size: 1634 bytes --]

Ramon van Alteren wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jeff Rooney wrote:
>   
>> Both methods appear to work as I hoped.
>>     
>
> Good.
>
>   
>> Ramon: you where exactly right, I was following some documentation sent
>> over with some load balancers that I am experimenting with. Unfortunatly
>> their tech staff didn't have any real options for us other than blocking
>> the arp responses via ebtables. 
>>     
>
> Mmmm interesting tech support, out of curiosity what loadbalancers are
> you using ?
>   
Currently I am working with the load master series from Kemp 
Technologies. I am also going to be trying Coyote Point as well, we 
still haven't decided which route to take.
>   
>> Not sure why I didn't think about using
>> the dummy interface instead of the loopback...guess its just been that
>> sort of day for me =)
>>     
>
> I have them too (those days), trying to ram the square block through the
> round hole.... In some cases it even works :-)
>
>   
>> Thanks again for your help Ramon and RijilV.
>>     
>
> You're welcome.
> Word of warning: If you lose the noarp option on one of the real-servers
> you will see very weird erratic behaviour which can be hard to debug.
> Depending on the load you push through the loadbalancer the realserver
> which sends an arp will die immediately or slowly whilst generating
> weird bugs in your app.
>
> Best way to check: login with ssh on the vip
>   
Thanks for the heads up...I am actually probably still going to end up 
running ebtables to filter the outbound arp responses from the vip 
addresses just to be safe.

Thanks again.
--
Jeff

[-- Attachment #2: Type: text/html, Size: 2364 bytes --]